Skip to content

Commit 541ca7c

Browse files
normanmaurernormanmaurer
authored
Merge commit from fork
Motivation: We should validate if the requested length is actual valid and readable before we try to allocate it to guard against excessive memory usage caused by a malformated request Modifications: Add length check and throw if not pass Result: Guard against excessive memory usage caused by malformated request
1 parent 943edb3 commit 541ca7c

3 files changed

Lines changed: 18 additions & 1 deletion

File tree

codec-http3/src/main/java/io/netty/handler/codec/http3/QpackDecoder.java

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,9 @@ final class QpackDecoder {
4747
private static final QpackException INVALID_REQUIRED_INSERT_COUNT =
4848
QpackException.newStatic(QpackDecoder.class, "decodeRequiredInsertCount(...)",
4949
"QPACK - invalid required insert count");
50+
private static final QpackException INVALID_LENGTH_ENCODED_LITERAL =
51+
QpackException.newStatic(QpackDecoder.class, "decodeHuffmanEncodedLiteral(...)",
52+
"QPACK - invalid length for LITERAL");
5053
private static final QpackException MAX_BLOCKED_STREAMS_EXCEEDED =
5154
QpackException.newStatic(QpackDecoder.class, "shouldWaitForDynamicTableUpdates(...)",
5255
"QPACK - exceeded max blocked streams");
@@ -399,6 +402,9 @@ private CharSequence decodeHuffmanEncodedLiteral(ByteBuf in, int prefix) throws
399402
if (huffmanEncoded) {
400403
return huffmanDecoder.decode(in, length);
401404
}
405+
if (in.readableBytes() < length) {
406+
throw INVALID_LENGTH_ENCODED_LITERAL;
407+
}
402408
byte[] buf = new byte[length];
403409
in.readBytes(buf);
404410
return new AsciiString(buf, false);

codec-http3/src/main/java/io/netty/handler/codec/http3/QpackEncoderHandler.java

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,9 @@
3232
import static io.netty.util.internal.ObjectUtil.checkInRange;
3333

3434
final class QpackEncoderHandler extends ByteToMessageDecoder {
35-
35+
private static final QpackException INVALID_LENGTH_STRING_LITERAL =
36+
QpackException.newStatic(QpackEncoderHandler.class, "decodeStringLiteral(...)",
37+
"QPACK - invalid length for STRING_LITERAL");
3638
private final QpackHuffmanDecoder huffmanDecoder;
3739
private final QpackDecoder qpackDecoder;
3840
private boolean discard;
@@ -240,6 +242,9 @@ private CharSequence decodeStringLiteral(ByteBuf in, boolean huffmanEncoded, int
240242
if (huffmanEncoded) {
241243
return huffmanDecoder.decode(in, length);
242244
}
245+
if (in.readableBytes() < length) {
246+
throw INVALID_LENGTH_STRING_LITERAL;
247+
}
243248
byte[] buf = new byte[length];
244249
in.readBytes(buf);
245250
return new AsciiString(buf, false);

codec-http3/src/main/java/io/netty/handler/codec/http3/QpackHuffmanDecoder.java

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4649,6 +4649,9 @@ final class QpackHuffmanDecoder implements ByteProcessor {
46494649
private static final QpackException BAD_ENCODING = QpackException.newStatic(QpackHuffmanDecoder.class,
46504650
"decode(...)", "QPACK - Bad Encoding");
46514651

4652+
private static final QpackException INVALID_LENGTH = QpackException.newStatic(QpackHuffmanDecoder.class,
4653+
"decode(...)", "QPACK - Invalid length");
4654+
46524655
private byte[] dest;
46534656
private int k;
46544657
private int state;
@@ -4666,6 +4669,9 @@ public AsciiString decode(ByteBuf buf, int length) throws QpackException {
46664669
if (length == 0) {
46674670
return AsciiString.EMPTY_STRING;
46684671
}
4672+
if (buf.readableBytes() < length) {
4673+
throw INVALID_LENGTH;
4674+
}
46694675
dest = new byte[length * 8 / 5];
46704676
try {
46714677
int readerIndex = buf.readerIndex();

0 commit comments

Comments
 (0)